IETF Logo Mail Archive

Re: [therightkey] Barely-capable CAs

Rob Stradling <rob.stradling@comodo.com> Thu, 01 November 2012 20:06 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0C5421F946C for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 13:06:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.274
X-Spam-Level:
X-Spam-Status: No, score=-6.274 tagged_above=-999 required=5 tests=[AWL=0.325, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGoXznfKl3xP for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 13:06:33 -0700 (PDT)
Received: from mmmail1.mcr.colo.comodoca.net (mdfw.comodoca.net [91.209.196.68]) by ietfa.amsl.com (Postfix) with ESMTP id DBF7221F947B for <therightkey@ietf.org>; Thu, 1 Nov 2012 13:06:31 -0700 (PDT)
Received: (qmail 25017 invoked from network); 1 Nov 2012 20:06:30 -0000
Received: from ian1.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.201) by mail.colo.comodoca.net with ESMTPS (DHE-RSA-AES256-SHA encrypted); 1 Nov 2012 20:06:30 -0000
Received: (qmail 9123 invoked by uid 1000); 1 Nov 2012 20:06:30 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Thu, 01 Nov 2012 20:06:30 +0000
Message-ID: <5092D644.5020909@comodo.com>
Date: Thu, 01 Nov 2012 20:06:28 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <508A48C5.9070005@comodo.com> <544B0DD62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com> <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org> <CAMm+Lwh2Qhv8eHtmy=KisShdJiLYe=ziyfezQELqqfu8y9H5qg@mail.gmail.com> <alpine.BSF.2.00.1211010935330.60568@hiroshima.bogus.com> <CAMm+LwjQiJ3aWpAYdy1hxtf09Sf=4g9AO=r-PihSPVkc8PMLkg@mail.gmail.com> <5092B8C4.3070607@cs.tcd.ie> <CABrd9SRKuo-VW6AHapz0NogKSGmcXXtRomTh1bvZudaB5q-GTQ@mail.gmail.com> <CAMm+LwhxLYhEJ213AmvTo6cCfPRq_0X1hxJx1vN13nfxkBWLiw@mail.gmail.com> <CABrd9ST3=4b73jDZb=Cxq6L_+2z7ExCKcY-ywBiD5hW98uAWBw@mail.gmail.com> <CAMm+Lwh3KeAXibf+vE9KW+JJ7XaUSDMkstcTp-LDwCQe7QX8Mg@mail.gmail.com>
In-Reply-To: <CAMm+Lwh3KeAXibf+vE9KW+JJ7XaUSDMkstcTp-LDwCQe7QX8Mg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Lucy Lynch <llynch@civil-tongue.net>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Ben Laurie <benl@google.com>, Paul Hoffman <paul.hoffman@vpnc.org>, "therightkey@ietf.org" <therightkey@ietf.org>
Subject: Re: [therightkey] Barely-capable CAs
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 20:06:34 -0000

On 01/11/12 20:01, Phillip Hallam-Baker wrote:
> OK so some examples do exist. But really what proportion of real world
> compromises do not involve something bone headed like using a 512 bit
> key for DKIM signatures?
>
> What I am saying here is not 'don't do CT', I am saying that we have to
> make the ease of administration a high priority in the design.

I would say that "ease of administration" for server operators is one of 
the main reasons why Ben is interested in getting CAs to participate!  ;-)

> On Thu, Nov 1, 2012 at 3:52 PM, Ben Laurie <benl@google.com
> <mailto:benl@google.com>> wrote:
>
>     On 1 November 2012 18:38, Phillip Hallam-Baker <hallam@gmail.com
>     <mailto:hallam@gmail.com>> wrote:
>      > Again, does it appear so subtle after it has been discovered?
>
>     Well, I find I have to remind myself how it works. So ... yeah.
>
>     Also, I assumed Bliechanbacher was the exponent 3 thing, which was
>     also pretty subtle.
>
>      >
>      > Would the flaw have been discovered sooner if there was not so
>     much dead
>      > code?
>
>     I don't think dead code had any influence on either of these.
>
>      >
>      >
>      > On Thu, Nov 1, 2012 at 2:35 PM, Ben Laurie <benl@google.com
>     <mailto:benl@google.com>> wrote:
>      >>
>      >> On 1 November 2012 18:00, Stephen Farrell
>     <stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie>>
>      >> wrote:
>      >> >
>      >> >
>      >> > On 11/01/2012 05:22 PM, Phillip Hallam-Baker wrote:
>      >> >> Having worked in Web security over 20 years now, I have still
>     to see a
>      >> >> case
>      >> >> where a system was breached because of a really subtle design
>     flaw.
>      >> >
>      >> > Bleichenbacher?
>      >>
>      >> TLS renegotiation?
>      >>
>      >> >
>      >> > S.
>      >> > _______________________________________________
>      >> > therightkey mailing list
>      >> > therightkey@ietf.org <mailto:therightkey@ietf.org>
>      >> > https://www.ietf.org/mailman/listinfo/therightkey
>      >
>      >
>      >
>      >
>      > --
>      > Website: http://hallambaker.com/
>      >
>
>
>
>
> --
> Website: http://hallambaker.com/
>
>
>
> _______________________________________________
> therightkey mailing list
> therightkey@ietf.org
> https://www.ietf.org/mailman/listinfo/therightkey
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

v2.23.0 | Report a Bug | By Email